fix(security): harden archive extraction (#16203)

* fix(browser): confine upload paths for file chooser * fix(browser): sanitize suggested download filenames * chore(lint): avoid control regex in download sanitizer * test(browser): cover absolute escape paths * docs(browser): update upload example path * refactor(browser): centralize upload path confinement * fix(infra): harden tmp dir selection * fix(security): harden archive extraction * fix(infra): harden tar extraction filter
2026-05-08 02:31:22 +00:00 · 2026-02-14 14:42:08 +01:00
parent 9a134c8a10
commit 3aa94afcfd
19 changed files with 1179 additions and 100 deletions
--- a/src/infra/tmp-openclaw-dir.test.ts
+++ b/src/infra/tmp-openclaw-dir.test.ts
@@ -5,12 +5,25 @@ import { POSIX_OPENCLAW_TMP_DIR, resolvePreferredOpenClawTmpDir } from "./tmp-op
 describe("resolvePreferredOpenClawTmpDir", () => {
  it("prefers /tmp/openclaw when it already exists and is writable", () => {
    const accessSync = vi.fn();
-    const statSync = vi.fn(() => ({ isDirectory: () => true }));
+    const lstatSync = vi.fn(() => ({
+      isDirectory: () => true,
+      isSymbolicLink: () => false,
+      uid: 501,
+      mode: 0o40700,
+    }));
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
    const tmpdir = vi.fn(() => "/var/fallback");

-    const resolved = resolvePreferredOpenClawTmpDir({ accessSync, statSync, tmpdir });
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });

-    expect(statSync).toHaveBeenCalledTimes(1);
+    expect(lstatSync).toHaveBeenCalledTimes(1);
    expect(accessSync).toHaveBeenCalledTimes(1);
    expect(resolved).toBe(POSIX_OPENCLAW_TMP_DIR);
    expect(tmpdir).not.toHaveBeenCalled();
@@ -18,28 +31,63 @@ describe("resolvePreferredOpenClawTmpDir", () => {

  it("prefers /tmp/openclaw when it does not exist but /tmp is writable", () => {
    const accessSync = vi.fn();
-    const statSync = vi.fn(() => {
+    const lstatSync = vi.fn(() => {
      const err = new Error("missing") as Error & { code?: string };
      err.code = "ENOENT";
      throw err;
    });
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
    const tmpdir = vi.fn(() => "/var/fallback");

-    const resolved = resolvePreferredOpenClawTmpDir({ accessSync, statSync, tmpdir });
+    // second lstat call (after mkdir) should succeed
+    lstatSync.mockImplementationOnce(() => {
+      const err = new Error("missing") as Error & { code?: string };
+      err.code = "ENOENT";
+      throw err;
+    });
+    lstatSync.mockImplementationOnce(() => ({
+      isDirectory: () => true,
+      isSymbolicLink: () => false,
+      uid: 501,
+      mode: 0o40700,
+    }));
+
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });

    expect(resolved).toBe(POSIX_OPENCLAW_TMP_DIR);
    expect(accessSync).toHaveBeenCalledWith("/tmp", expect.any(Number));
+    expect(mkdirSync).toHaveBeenCalledWith(POSIX_OPENCLAW_TMP_DIR, expect.any(Object));
    expect(tmpdir).not.toHaveBeenCalled();
  });

  it("falls back to os.tmpdir()/openclaw when /tmp/openclaw is not a directory", () => {
    const accessSync = vi.fn();
-    const statSync = vi.fn(() => ({ isDirectory: () => false }));
+    const lstatSync = vi.fn(() => ({
+      isDirectory: () => false,
+      isSymbolicLink: () => false,
+      uid: 501,
+      mode: 0o100644,
+    }));
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
    const tmpdir = vi.fn(() => "/var/fallback");

-    const resolved = resolvePreferredOpenClawTmpDir({ accessSync, statSync, tmpdir });
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });

-    expect(resolved).toBe(path.join("/var/fallback", "openclaw"));
+    expect(resolved).toBe(path.join("/var/fallback", "openclaw-501"));
    expect(tmpdir).toHaveBeenCalledTimes(1);
  });

@@ -49,16 +97,96 @@ describe("resolvePreferredOpenClawTmpDir", () => {
        throw new Error("read-only");
      }
    });
-    const statSync = vi.fn(() => {
+    const lstatSync = vi.fn(() => {
      const err = new Error("missing") as Error & { code?: string };
      err.code = "ENOENT";
      throw err;
    });
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
    const tmpdir = vi.fn(() => "/var/fallback");

-    const resolved = resolvePreferredOpenClawTmpDir({ accessSync, statSync, tmpdir });
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });

-    expect(resolved).toBe(path.join("/var/fallback", "openclaw"));
+    expect(resolved).toBe(path.join("/var/fallback", "openclaw-501"));
+    expect(tmpdir).toHaveBeenCalledTimes(1);
+  });
+
+  it("falls back when /tmp/openclaw is a symlink", () => {
+    const accessSync = vi.fn();
+    const lstatSync = vi.fn(() => ({
+      isDirectory: () => true,
+      isSymbolicLink: () => true,
+      uid: 501,
+      mode: 0o120777,
+    }));
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
+    const tmpdir = vi.fn(() => "/var/fallback");
+
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });
+
+    expect(resolved).toBe(path.join("/var/fallback", "openclaw-501"));
+    expect(tmpdir).toHaveBeenCalledTimes(1);
+  });
+
+  it("falls back when /tmp/openclaw is not owned by the current user", () => {
+    const accessSync = vi.fn();
+    const lstatSync = vi.fn(() => ({
+      isDirectory: () => true,
+      isSymbolicLink: () => false,
+      uid: 0,
+      mode: 0o40700,
+    }));
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
+    const tmpdir = vi.fn(() => "/var/fallback");
+
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });
+
+    expect(resolved).toBe(path.join("/var/fallback", "openclaw-501"));
+    expect(tmpdir).toHaveBeenCalledTimes(1);
+  });
+
+  it("falls back when /tmp/openclaw is group/other writable", () => {
+    const accessSync = vi.fn();
+    const lstatSync = vi.fn(() => ({
+      isDirectory: () => true,
+      isSymbolicLink: () => false,
+      uid: 501,
+      mode: 0o40777,
+    }));
+    const mkdirSync = vi.fn();
+    const getuid = vi.fn(() => 501);
+    const tmpdir = vi.fn(() => "/var/fallback");
+
+    const resolved = resolvePreferredOpenClawTmpDir({
+      accessSync,
+      lstatSync,
+      mkdirSync,
+      getuid,
+      tmpdir,
+    });
+
+    expect(resolved).toBe(path.join("/var/fallback", "openclaw-501"));
    expect(tmpdir).toHaveBeenCalledTimes(1);
  });
 });